mod_http_oauth2: Restrict introspection to clients own tokens
The introspection code was added before the client hash was added in
0860497152af which allows connecting tokens to clients.
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu May 25 09:31:21 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Oct 29 11:20:15 2023 +0100
@@ -1061,6 +1061,11 @@
return 401;
end
+ local client = check_client(credentials.username);
+ if not client then
+ return 401;
+ end
+
local form_data = http.formdecode(request.body or "=");
local token = form_data.token;
if not token then
@@ -1071,6 +1076,10 @@
if not token_info then
return { headers = { content_type = "application/json" }; body = json.encode { active = false } };
end
+ local token_client = token_info.grant.data.oauth2_client;
+ if not token_client or token_client.hash ~= client.client_hash then
+ return 403;
+ end
return {
headers = { content_type = "application/json" };
@@ -1083,7 +1092,7 @@
exp = token.expires;
iat = token.created;
sub = url.build({ scheme = "xmpp"; path = token_info.jid });
- aud = nil;
+ aud = credentials.username;
iss = get_issuer();
jti = token_info.id;
};